iOS dictionary app maker working on new way to shame pirates

"Old code" blamed for screwup that targeted paying customers.

Earlier this week, we reported the story of an iOS app maker intent on shaming pirates by hijacking users' Twitter accounts in order to post a message saying "How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession."

This anti-piracy campaign was certainly unique, but it backfired. Many customers who paid as much as $50 for dictionary applications for their iPhones and iPads were targeted, because the system went into place without being capable of distinguishing between pirates and non-pirates.

We've exchanged a few e-mails with Enfour, the company in question, to find out how the anti-piracy system was supposed to work, and whether the company plans to try again. In short, Enfour blamed the problem on "old code" that has now been taken out of the apps and thrown in the trash. But Enfour isn't done—it's busy working on a new and better way of targeting pirates.

Your app's anti-piracy module, it's not working

"There was old code from a previous version of the module that was timed to activate on November 1," Enfour VP of Communications Tracey Northcott told Ars via e-mail. "This didn't affect everybody. It only affected people who let the app go to 'sleep' while using it on November 1. If the user shut down the app after using it, then there would be no issue. If a person didn't use the app between October 31 and updated on or after November 2, then they would not have been affected at all. There are still some people who have this issue as they haven't yet updated their apps."

Northcott declined to say exactly how Enfour was trying to identify pirates, saying, "I am going to be suitably vague on our exact method for proprietary reasons." But another iOS app developer, Chris Cieslak, told us there are several ways of going about it.

"There's a few ways I've seen in the past," Cieslak said. One method is to simply check if the phone is jailbroken by seeing if it contains files only present on jailbroken devices (like the Cydia app store), but this is far too likely to bring up false positives because jailbreakers aren't automatically pirates.

Cieslak continued:

Another way to find out if the app's been cracked is to see if the actual executable code in the app's bundle is still encrypted by Apple's FairPlay DRM. This could present a false positive/negative issue in production, since only public iTunes Store builds are encrypted. It's impossible to test fully in developer or beta ad-hoc builds, which are not encrypted.

The other way I've seen is to inspect the app's App Store metadata. There's a file called iTunesMetadata.plist, added to the app bundle by Apple when one uploads an app to the store, which contains identifying information of the app's original buyer, along with version info, icon info, and other store-specific stuff. This is stripped out by many crackers, so the app could simply see if it exists and assume it's pirated if it's not there.

This could cause a false positive if Apple renames this file, changes its format, or removes the file entirely. It's not part of any public spec.

Now, any check in code could always be bypassed through the normal means like on any other computer: dumping classes, disassembly, etc. Which makes these techniques even more useless, in my opinion.

Finally, anti-piracy code is just like any other code: it's going to have bugs. Except, in this case, they're bugs that really get your users mad. Not worth it at all, at least in my opinion.

Enfour may have a completely different, more advanced method, based on what Northcott told us. "We do not discriminate against jailbroken phones, as we know there are plenty of legitimate customers who have jailbroken phones," Northcott said. "The checks are much more complicated than this. Our method involves coding to below the standard objective C level. Just to give you some more background, we have been coding to this level since the Apple Newton days. This is the first accident of this sort we have ever been involved with."

According to an apology letter Enfour wrote to customers, the anti-piracy module worked like this: "Upon waking, a dialog box showed 'Run in Safe Mode,' then the app disabled itself and performed an auto soft close. A notification appeared locally on the device and if the user had authorized the app to access their Twitter account, a tweet of the notification was sent out under their account with a hash tag #softwarepiracyconfession. This tweet only happened if the user tapped a send confirmation button."

Northcott said fewer than 0.3 percent of users tweeted out piracy confessions during the first 24 hours in which the faulty code was deployed, "and at least half of those were really pirated copies." But the problem extended well beyond those 24 hours. More than two weeks later, the tweets are still coming in dozens of times a day. Enfour says it asked Twitter "for a mass pulldown of these tweets," but Twitter refused.

The pirate confession tweets go back to before November 1, Northcott said, but those earlier tweets were only from customers who actually pirated the apps. The false confessions didn't go out until that "old code" set on a timer had been activated.

"Our apps have had varying forms of anti-piracy measures included over the last few years," she said. "We have tried different methods, tweaked them and changed them completely. The iOS platform is constantly changing and also the way that the crackers pirate the apps changes constantly as well. It is an ongoing tug of war. We are not the only developer that has modules built in. There are probably others who have had some false alarms too, but these may not have been reported by the press."

Enfour plans to bring back its anti-piracy system, but it did not say when it will reappear or if it will work in the same way. "We have had emergency meetings and we have completely revised the anti-piracy policy," Northcott said. "For the updates we just pulled it all out in the interest of timing. Soon we will have a new iteration of our engine that has downloadable components. This allows more control over the components and so we will not have to use the same sort of module that malfunctioned two weeks ago."

Enfour is scrapping the old code entirely, starting from a "blank file," to make sure it never targets legitimate customers again.

Fightin' pirates

Enfour's fight against pirates isn't over, because the company thinks it's one well worth fighting. "We do a clean-up of pirated apps every week, serving DMCA notices where we can," Northcott said. "This is a lot of work and especially hard because we need to do so in a number of languages. But they keep popping back up. It is usually only the well-known (and more expensive) titles that continue to be distributed online."

Enfour says it has found more than 3 million instances of pirated copies of its apps, including cases where the people who cracked them were charging money for the ripped-off copies. "We have seen days when certain titles have had 2000 new users but we have sold only 20," she said.

Northcott sees a race to the bottom in Apple's App Store, with rankings based on the number of downloads favoring apps that are free or cost just 99¢.

"This is not a sustainable model for any but a handful of games," she said. "Developers are not rewarded for developing quality products that can command a decent price. We are relegated to pumping out the equivalent of '80s shareware. At this rate a hollowing out of the market will occur—with only hobbyists and large production houses being left in the game."

Dictionary apps can cost anywhere from $20 to $50 because they have real value, are larger and more complex than most apps, and contain content "that takes hundreds of man-years to compile," she said. "What cost hundreds of dollars as a desktop application delivered on a DVD a few years ago is now available for 100th of that as a smartphone app."

Many people are willing to pay the money. But there is enough piracy that finding some way to discourage people from downloading ripped-off copies is a worthy goal, in principle. Three years ago, we reported on an iPhone app developer who found a way to turn cracked versions of apps into demos. The developer's anti-piracy measure involved having apps "phone home" to a server, which could detect whether it was cracked.

Enfour went much further—and its story shows that targeting pirates on a large-scale basis takes immense effort and is fraught with risk.

Promoted Comments

It's funny how in this article the devs make it seems as if the Twitter authorization was optional and the tweet was optional when in the previous article relating to this story, it had clearly been established that unless you linked your twitter account to the app, the app closed and didn't allow you to use it.

This is really the wrong way to go about it. People who want to pirate - will continue to do so. If people aren't going to pay money, you can't twist their arms. Shaming them by tweeting will only ensure the more determined pirates create a fake Twitter account and let all the tweets go there. This will then not affect the pirate in any way and it will be business as usual for them.

With the amount of effort they're going to couldn't they just ask that you create an account with them and verify the app the first time you use it? Perhaps after major updates too. Surely that would be enough for a significant number of cases.

Yes an extra step for some users but these guys seem determined to do something and it's surely better than false positives.

Just a thought but there has to be some decent tried and tested alternatives.

While not directly related to the main focus of the story, the last bit about prices intrigues me somewhat.

I agree that the "99 cents only!" model is not sustainable for anything that:

* Requires a great deal of effort to develop, maintain, and support (especially in the absence of "upgrade" fees currently in the iOS store; does the Play store work the same?)* Has a limited target audience* Can't be sustained financially through other revenue streams (subscriptions to services, ads, etc.)

But in this particular case, I'm curious what sort of value a dictionary app has. Clearly it has SOMETHING, as it seems a nontrivial number of people have bought it. But what sort of information or functionality do you get out of a dictionary app that cannot be had through any number of other similarly convenient means (Google, dictionary.com, Siri, etc.)?

I'd have to say that if I were a paying customer and they misrepresented me by hijacking my account, I would be livid. I would call the police and try to charge them with unlawful access to a computer system. This is a big deal and I hope they hit with the 2x4 of justice.

Sorry, I call bullshit. If I can buy a paper dictionary so cheaply, why does an app have to cost so much?

I think part of the problem is trying to gouge paying customers. That said, there are plenty of pirated copies of 99cent games too. Still those 99cent games also sell thousands and the overpriced dictionary doesn't.

Time for a new pricing strategy perhaps?

I as a legal and paying user of both tablet markets, treat apps as disposable. I don't know when some chump at Apple or Google is going to break something on the OS or indeed come out with a new shiny that makes me ditch the old system.

Apps are not an investment. The pricing should reflect that. Anything that doesn't gets ignored by most users, me included.

Northcott said. "The checks are much more complicated than this. Our method involves coding to below the standard objective C level. Just to give you some more background, we have been coding to this level since the Apple Newton days. This is the first accident of this sort we have ever been involved with."

Then you're doing something you shouldn't be doing. There is very little reason to do these tips and tricks from twenty years ago on today's systems. API's are there for a reason. If your super enhanced uber assembly goes wrong, you can hose systems, break programs, and generally aggravate users with your snooping around in areas you're not supposed to be.

They say this like it is a good thing, like they are "leet coders" or something. It's not. Coding at that level is just not necessary any more and is bad practice to do in the first place. Use the APIs, and stick to code that you can test and doesn't trample on the users system.

Enfour is lucky that the user base is pretty global, making it harder to organize a legal response. I'd expect Apple to have a more immediate impact, if they go after Enfour over ToS violations. Fighting something like this in court, particularly in the U.S., would be difficult and the outcome would not be assured. Might have a better shot in the EU, where privacy and data laws are better defined and more strict.

There is some serious cognitive dissonance going on when vendors believe the number of pirated instances has ANY relationship to the number of legit buyers they would have if piracy magically disappeared. They need to focus on their paying customers, keeping them happy. Various oddball DRM schemes don't make us happy. Get it? Obviously not. Someone other developer will get my money then.

Punishing and shaming your customers is not "adding value." Maybe they should spend their engineering resources actually adding value into their product instead of absurd and faulty "anti-piracy" measures.

If we've learned anything out of this hilarious mess - right now is the best time to pirate their apps. You can just claim their faulty anti-piracy measures wrongly accused you.

Also, has anyone setup a group twitter account that all the pirates can share?

With the amount of effort they're going to couldn't they just ask that you create an account with them and verify the app the first time you use it? Perhaps after major updates too. Surely that would be enough for a significant number of cases.

Yes an extra step for some users but these guys seem determined to do something and it's surely better than false positives.

Just a thought but there has to be some decent tried and tested alternatives.

I'd have to say that if I were a paying customer and they misrepresented me by hijacking my account, I would be livid. I would call the police and try to charge them with unlawful access to a computer system. This is a big deal and I hope they hit with the 2x4 of justice.

Snowraver1: This app company hacked my phone by tweeting something I didn't allow!!!!The Cops: What's a tweet?Snowraver1: Sort of like a text message I guess, but on the internet.The Cops: So, that's a crime or something? I don't get it.Snowraver1: YES! I'm livid!The Cops: Yeah, well we have murders and things to stop, and tickets to write because they make us money. Let us know when something important happens.Snowraver1: Wait, I'm not done yet!Ma Bell: If you'd like to make a call, please hang up and dial again. If you feel you've reached this message in error...

File this under the “The Death of Customer Service. The beauty the scenario is that every impacted customer already has a Twitter account from which can denounce the company that attempted to humiliate them.

I don't see why they think that it's worth upwards of $50 to purchase a dictionary app. I barely ever find myself in need of one, and when I do need one, I can purchase a paperback one for about $5. On the other hand though, I've often used Google as a spell check too. It's free and readily available pretty much any time I find the need. I'll admit that there are probably people out there that have a much higher need of a dictionary, but I don't think it's fair to charge quite a high amount of money for something that can be found much cheaper (if not free) elsewhere.

As for the anti-piracy stance, I think the companies need to give up the chase. As someone posted here earlier (I don't remember the user unfortunately) but these companies appear to still be using an old model to determine piracy. They count "new users." But as the other person brought up, what about someone who just bought an iPad, or a new iPhone and wants to download the app they already paid for onto the new device. Doesn't this count as a "new user" by their terms?

I also never put any stock into any company that says the piracy rate for their software is anything above 50% (and that's being generous). You know what, I'm going to end my rant on that here. If I really get going on a DRM rant, I'll never stop (I'm going to get downvoted enough as it is).

I can understand having a piracy check that will cut you off from the servers so the devs aren't paying any bandwidth costs for illegitimate users.

Other than that many pirates target high priced apps for prestige, so they can say they have $X,xxx worth of apps on their phone. A large portion of these pirate users would NEVER buy the app and probably NEVER use it.

The race to the bottom argument is flawed too... it's possible if they cut their price in half, twice as many people could afford to purchase it. We aren't buying expensive to manufacture 20 volume sets of color printed encyclopedias anymore, we are purchasing a database and a front end.

It's funny how in this article the devs make it seems as if the Twitter authorization was optional and the tweet was optional when in the previous article relating to this story, it had clearly been established that unless you linked your twitter account to the app, the app closed and didn't allow you to use it.

This is really the wrong way to go about it. People who want to pirate - will continue to do so. If people aren't going to pay money, you can't twist their arms. Shaming them by tweeting will only ensure the more determined pirates create a fake Twitter account and let all the tweets go there. This will then not affect the pirate in any way and it will be business as usual for them.

I'm confused; first they say that the old anti-piracy code was working, except for the "explode on Nov 1" bit, and then they say they're throwing out all of the anti-piracy code and starting from scratch. Seems like the most sensible approach is to keep what worked, improve it some, but don't throw it out and start over.

I think what gets me here is the completely unapologetic nature of the response. Considering the libelous nature of their action, they should be falling over themselves to apologize for what they did. Instead, it was the fault of 'old code' and their new 'below the line' uber-coding systems will ensure they have a 'more advanced' system deployed. This is a total PR failure.

"...There are probably others who have had some false alarms too, but these may not have been reported by the press."

So wait a sec... they're trying to push the notion that other developers have made the same mistakes, and simply weren't caught? That sounds incredibly disingenuous to me, and ignores the root problem entirely. Bottom line: Two wrongs don't make a right. They are well within their rights to prevent a pirate from using their app... and a false positive in that scenario would have become nothing more then a case of, just fix the bug and move on. Instead, they engaged in activities which are almost certainly illegal in many countries. It was a really dumb move, because even ignoring the legal ramifications of their activities, a lot of people who might have otherwise considered buying their wares will now look elsewhere, solely because of this issue.

Or to put it another way... attempting to redirect attention onto other developers is a classless rookie move; Enfour screwed up, plain and simple.

(Personally, I would never have bought their app in the first place -- or pirated it, for that matter... because even ignoring the built-in dictionary entirely, there are plenty of decent dictionary websites which would suit my own needs just fine.)

"...There are probably others who have had some false alarms too, but these may not have been reported by the press."

So wait a sec... they're trying to push the notion that other developers have made the same mistakes, and simply weren't caught? That sounds incredibly disingenuous to me, and ignores the root problem entirely. Bottom line: Two wrongs don't make a right. They are well within their rights to prevent a pirate from using their app... and a false positive in that scenario would have become nothing more then a case of, just fix the bug and move on. Instead, they engaged in activities which are almost certainly illegal in many countries. It was a really dumb move, because even ignoring the legal ramifications of their activities, a lot of people who might have otherwise considered buying their wares will now look elsewhere, solely because of this issue.

Or to put it another way... attempting to redirect attention onto other developers is a classless rookie move; Enfour screwed up, plain and simple.

(Personally, I would never have bought their app in the first place -- or pirated it, for that matter... because even ignoring the built-in dictionary entirely, there are plenty of decent dictionary websites which would suit my own needs just fine.)

Serious pirates will just download a version of the app prior to these piracy updates. Seriously, how often would you need upload a Dictionary app anyway in real world use?

How did the app publish to Twitter without the app asking for permission first? ("This app would like permission to post on your Twitter feed?")

It did ask for permission. The problem was that if you did not grant it, the app shut itself down so you could not do anything else. Next time it launched, right back to demanding access to Twitter. People actually gave it access, not expecting it to pull some hair-brained @#$%! like this.

That's the basic problem with the "ask permission" model - far too many apps asking for too many permissions.

What an unapologetic ass. He even blames the users for Enfour's gross incompetence. I also liked:

'Our method involves coding to below the standard objective C level. Just to give you some more background, we have been coding to this level since the Apple Newton days.'

Whenever someone says something like this it means the actual code is a monstrosity that should be featured on http://thedailywtf.com/ They've probably got one self-proclaimed genius coder who's too wild and untamed and freeeeee to even use version control, which is how the 'old' code got in the release. Unless that's just another lie and they just didn't QA it properly - QA is for THE MAN.

There's so much wrong with this it's hard to see where to start, but I don't think "wiretapping" belongs on the list.

I put it there because I figured if they have enough access to your twitter, what is to stop them from doing something other than posting, either way the point I was trying to make is they did so much wrong that it makes it fairly for some consumer advocacy group to come in and find a flaw with this.

This is just incredible. It's absolutely wrong to have hijacked the Twitter accounts of their paying customers due to some bug. However, even beyond that, I think there are some serious ethical and legal questions even if the app had worked as intended. Just because someone has pirated your software doesn't give you the right to break into their accounts and impersonate them at some later date--I can't imagine that's legal, either. If someone steals my TV, does that give me license to go to their house next month and spay-paint "THIEF!" on their front door as a deterrent? I'd think not, as that's what the justice system is for. It's within your right to take reasonable steps to try to stop a crime against you as it's in progress--I know of no legal system where you're allowed to do something illegal to someone who caused unlawful harm to you for no better purpose than to deter others well after the misdeed has been done.

Someone correct me if I'm misreading this series of events:1) The dictionary company sells ~$50 app to people.2) The dictionary company puts a back-door in there with Twitter accounts where they can post tweets if they deem the app to be pirated3) They mass-post tweets accusing some of their paying customers of piracy4) They refuse to say exactly how they're identifying the "pirates"--already shown to be untrustworthy--because of "proprietary reasons".

Is it just me, or do we have a new King Douchebag of the Year award to hand out? Jesus F**king Christ. This is unbelievable.

While what Enfour is doing (IMO) is wrong, I hate the lazy attitude our society has developed in regards to pirating. Many of the posts sound like they are defending and/or advocating pirating. Enfour can charge what they want, and that's that. If you pay, great. If you don't, then great. They'll either price themselves out of the market or make money on customers willing to meet their price point. But there is no difference between stealing music, videos, etc. and stealing physical objects like clothing. Enfour created a product, put a price on it, and distributed it just like any other product. People need to respect that.

Hmmm, maybe it would be worth it if they can iron out the kinks in this anti-piracy thing. Stick it back to the pirates and let them whine about being violated...

If i bought a $55 app and it wouldn't run without a fucking twitter account id be hitting the refund button immediately. Why on earth would a dictionary app need twitter access anyway?, that would set off warning bells to the nature of the app immediately.And who in their right mind pays that much for something that could be had for free?

As for the tweeting and the `going below api` thing, they sound like unprofessional idiots who deserve the drop in sales this will bring them (although they will probably blame pirates for that).

I can understand having a piracy check that will cut you off from the servers so the devs aren't paying any bandwidth costs for illegitimate users.

Other than that many pirates target high priced apps for prestige, so they can say they have $X,xxx worth of apps on their phone. A large portion of these pirate users would NEVER buy the app and probably NEVER use it.

The race to the bottom argument is flawed too... it's possible if they cut their price in half, twice as many people could afford to purchase it. We aren't buying expensive to manufacture 20 volume sets of color printed encyclopedias anymore, we are purchasing a database and a front end.